Dutch crisis exercise makes payment world more secure against cyberattacks

Dutch crisis exercise makes payment world more secure against cyberattacks

Marcel Woutersen

Senior Communications Consultant

20 December 2018

Dutch crisis exercise makes payment world more secure against cyberattacks

Cybersecurity is a priority in all business sectors, as newspaper columns are increasingly filled with cyberattacks and hacks. The financial sector is no exception. That is why the biggest Dutch crisis simulation in six years took place last month. The main question was: are financial institutions and other stakeholders able to make the right decisions and communicate properly when there is a serious disruption of payment and securities transactions?

Leon Strous, Senior Policy Advisor at De Nederlandsche Bank (DNB), answers this question here and explains why this exercise, called Cyberscan III, is so important.

Threat is real

According to Strous, it is difficult to predict just how likely a crisis such as hackers shutting down payment transactions actually is. “We have to take into account that the threat is real.” Strous refers to several news items from the past year. Iranian hackers, for example, wanted to disrupt financial services in the United States as a retaliation for the US economic sanctions against Iran. The United Kingdom and the Netherlands accused Russiaof carrying out a number of cyberattacks to undermine Western democracies. If an attack led to people being unable to withdraw cash or use internet banking, the emergency would escalate quickly, leading to social disruption and substantial economic damage. Strous: “You have to be prepared when the situation gets out of hand, that’s why business continuity and crisis management is so important.”

The Cyberscan exercise was taken seriously, as the number of participants showed. There were 220 attendees in total, including representatives from the 17 most important parties in the payment and securities transaction chains. DNB, the Dutch Authority for the Financial Markets (AFM) and the Ministry of Finance, the bodies that would be in charge during a sector-wide crisis, were also present. Strous continues: “We even invited large telecom providers as well, because our payment and securities processes would not work without telecommunication. Furthermore, the National Cyber Security Centre, part of the Ministry of Justice and Security and the central banks of Belgium, England and Ireland, participated for the first time. The international character of the exercise made it unique.”

Effectively collect and streamline information

During the exercise, participants had to deal with different types of cyberattacks. “We simulated a DDoS attack and a situation in which data files were corrupted by hackers,” says Strous. “The question we were trying to answer was how to deal with an attack like this. How will such an attack effect the banking systems and how can we inform the public in an effective way? What information is relevant enough to share with the outside world? Of course you want to be as transparent as possible, but too much information can lead to confusion. Through these questions, we learn how all parties can effectively collect and streamline information. For example, experts need maximum focus and so it is not effective if they are constantly being asked for information while they are solving the problem. You must prevent that from happening.”

The evaluation is still in progress, but Strous can already say that the exercise went well. “Of course there is always room for improvement, but the payment world proved capable of making the right decisions in a crisis. The exercise goals were achieved. Communication went well. The escalation from the financial sector to the crisis organization of the government happened at the right time. That is the big advantage, that we went to the government level this time. We will now collect points of action. Because when the scope of the crisis expands and government bodies such as ministries get involved, a different dynamic arises. That is logical, when stakeholders get involved, it becomes more complex. It is a matter of finding the right alignment with the right parties at the right time. Fortunately, there have been many exercises in recent decades. The cooperation is going well. Even now that more and more parties are involved or are part of the financial sector.”

There will be a sequel

Strous is pleased to see that different stakeholders, sometimes with conflicting interests, functioned well together during the crisis scenario. That is another reason for these crisis exercises. And there will be a sequel. Strous explains: “We have an annual exercise calendar, but we also want to ensure that we do not overburden institutions. For example, you can brainstorm about the approach to some scenarios instead of actually practicing. So, we do not yet know exactly when the next exercise will be or what it will look like, but they have proven very useful.”

We use cookies to ensure you the best possible user experience on our website and to analyze how the site is used. If you continue without changing your settings, we assume that you accept the use of all cookies on this website. However, you are free to change your cookies settings at any time.